Tuesday, 4 March 2014

Running Java applications without installing Java

Although it seems to be a dying breed, there are still some Java client-side applications that you may want or need to use e.g. the excellent Burp Suite.  But this means having Java installed on your workstation - queue dramatic music.

This is less like handing over the keys to your computer than it used to be.  Java can be configured so that Java content is disabled in all browsers (at least from version 7 update 10 and higher).  But if the application requires an old version, or you just have little faith in the Swiss cheese that is Java's security controls, then it would be nice to isolate your Java installation.

There are several ways to isolate Java, from hardening its configuration to only running it in a virtual machine. What I'm going to suggest here is another option, using Java without installing Java.

This approach is already really common with server-side applications.  It is common for server-side applications to install themselves with their own copy of the Java runtime, as this means there is no danger of compatibility issues with the current shared install of Java on the server or any updates to it.  So why not take the same approach for client-side applications, and benefit from isolating Java to the one application that needs it.

So here's what to do (using Windows notation, but it's similar for non-Windows):
  1. Obtain the offline Java installation .exe
  2. Follow these instructions to get access to the Data1.cab file
  3. Unzip the Data1.cab to get the core.zip file
  4. Unzip the core.zip file to get the JRE files
  5. In the .\lib folder there are several .pack files, you need to unpack these to their .jar equivalents using unpack200.exe (in the .\bin folder) e.g. "..\bin\unpack200.exe -r rt.pack rt.jar".  Hat tip.
  6. (Optional) You can remove several files as they are usually unnecessary (importantly the browser plugin is one of them).  This makes the total size smaller, but not by much.
  7. Run you client-side Java application by directly invoking .\bin\java.exe
The JRE files come in at about 100Mb (for version 7 update 51) so I wouldn't necessarily be doing this separately for lots of applications.

I got this working for Burp Suite, but I didn't regression test all of its functionality, so whilst the method seems to work, I can't give any guarantees it does. YMMV.


1 comment:

  1. Run Jar Java Application without Installing JRE :
    How can you run Jar Java application without installing Java Runtime Environment (JRE). I've solution for this scenerio :
    The answer is jPortable, a portable Java Runtime Environment that is provided by Portable Apps. While designed for use with portable programs offered by the site and service, it is not restricted to that.